users@glassfish.java.net

GlassFish 3.1.1 security

From: Glenn Holmer <gholmer_at_weycogroup.com>
Date: Tue, 16 Aug 2011 16:50:42 -0500

We have an app that we've been running under GlassFish 3.0.1, and we
want to run it under 3.1.1. We've been running GlassFish fronted by
Apache, which handles SSL, and everything works OK. For 3.1.1, we used
these commands in place of the "old way" of putting the Tomcat jars in
GlassFish's lib/ directory:

asadmin create-http-listener --listenerport 8009 --listeneraddress 0.0.0.0 --defaultvs server jk-listener
asadmin set server-config.network-config.network-listeners.network-listener.jk-listener.jk-enabled=true

We are not yet using clustering/load balancing, so we are using the
default "server-config" configuration. Apache correctly forwards most
pages to GlassFish, except those that are protected.

In web.xml, we have this:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>phoenix_auth</web-resource-name>
    <description>Phoenix security</description>
    <!-- the pages which will be protected: -->
    <url-pattern>/customers/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>HEAD</http-method>
    <http-method>PUT</http-method>
    <http-method>OPTIONS</http-method>
    <http-method>TRACE</http-method>
    <http-method>DELETE</http-method>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

This all worked fine under 3.0.1 (unless I forgot to write down a step
re. how we configured it).

But under 3.1.1, when I hit a page under /customers/, I get this:

[#|2011-08-16T16:38:07.075-0500|INFO|glassfish3.1.1|javax.enterprise.system.core.security|_ThreadID=22;_ThreadName=Thread-2;|JACC P
olicy Provider:Failed Permission Check: context (" phoenix-jee6/phoenix-jee6-war-bo_war ") , permission (" (javax.security.jacc.Web
UserDataPermission /customers/checkout.html GET) ") |#]

[#|2011-08-16T16:38:07.076-0500|SEVERE|glassfish3.1.1|org.apache.catalina.connector.CoyoteAdapter|_ThreadID=22;_ThreadName=Thread-2
;|PWC3989: An exception or error occurred in the container during the request processing
java.lang.ArrayIndexOutOfBoundsException: 1
        at com.sun.web.security.RealmAdapter.getHostAndPort(RealmAdapter.java:971)
        at com.sun.web.security.RealmAdapter.redirect(RealmAdapter.java:1090)
        at com.sun.web.security.RealmAdapter.hasUserDataPermission(RealmAdapter.java:941)
        at com.sun.web.security.RealmAdapter.hasUserDataPermission(RealmAdapter.java:865)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:511)

What have we done wrong? Is something different in 3.1.1, or did we just
miss a step? 

-- 
____________________________________________________________
Glenn Holmer                          gholmer_at_weycogroup.com
Software Engineer                        phone: 414-908-1809
Weyco Group, Inc.                          fax: 414-908-1601
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.